DeconstruCT.F 2023 - Missing
Description
Category: OSINT
Jason todd went missing and all alfred was able to recover from his pc was this file Help Alfred find Jason
Hint
Rule 3 does not apply here. Bruteforce is allowed
Resolution
1. Crack the rar
We have an encrypted jason.rar
archive.
We crack it with John the Ripper:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ ./rar2john jason.rar > hash
$ john hash --wordlist=rockyou.txt
Warning: detected hash type "RAR5", but the string is also recognized as "RAR5-opencl"
Use the "--format=RAR5-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 56 password hashes with no different salts (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
1983 (jason.rar)
56g 0:00:01:48 DONE (2023-08-05 22:37) 0.5138g/s 439.2p/s 439.2c/s 24597C/s 290392..01011985
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
2. Git commit history
Now we have the password we can decrypt the archive.
In the archive we have 2 directories:
cryptic-tod-secure
nothing_here_to_look_at
We went inside nothing_here_to_look_at
and searched for info.
The only notable file is empty.txt
which seemed to contains a link:
1
2
3
4
this link might be interesting
...
find my github pages site that i accidentaly deleted to find what u want :P
...
Since there is a .git
directory, we can see the history with git log
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ git log
commit 65e36b3f6fc7baa97fdb17ae17d4d0ab2ac9ff71 (HEAD -> main, origin/main, origin/HEAD)
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Wed Jun 1 17:33:30 2022 +0530
Create encoded.txt
commit c707cc578d25efe99348ed9e267156a8203224ae
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Wed Jun 1 17:32:13 2022 +0530
Create secret.txt
commit 38daa614da04a03b6c02149504bda43d56dcbd8a
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Sat May 28 11:41:55 2022 +0530
Update empty.txt
commit f50086b592f94cc8d05f9b1dde2eeb10d6c4713c
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date: Fri May 27 11:52:07 2022 +0530
something for u
We switch to an older version of the repo when empty.txt
hasn’t been modified:
1
2
$ git restore .
$ git checkout f50086b592f94cc8d05f9b1dde2eeb10d6c4713c
Now we open empty.txt
and there is a base64 encoded string:
1
aHR0cHM6Ly93d3cuaW5zdGFncmFtLmNvbS90b2RkX2phc29uX3NlY3VyZS8=
Which once decode gives us a link: https://www.instagram.com/todd_jason_secure/
.
3. Instagram account
Since I don’t have an Instagram account, I used Picuki to see the profile:
There are two posts:
We get the first part of the flag in the second post: dsc{h4vINg_FuN_w1
.
In the first post, there are 13 comments and one of them indicates us the next step:
4. Twitter account
For this step, you need a Twitter account.
On Twitter we search for todd_jason_secure
:
We find the tweet which gives us the second part of the flag:
The second part of the flag is base32 encoded, once decoded we have: 7h_O5INT_@Nd_m4p5}
.
And finally we get the flag: dsc{h4vINg_FuN_w17h_O5INT_@Nd_m4p5}
.